{"description": "Enterprise techniques used by Apostle, ATT&CK software S1133 (v1.0)", "name": "Apostle (S1133)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1485", "comment": "[Apostle](https://attack.mitre.org/software/S1133) initially masqueraded as ransomware but actual functionality is a data destruction tool, supported by an internal name linked to an early version, wiper-action. [Apostle](https://attack.mitre.org/software/S1133) writes random data to original files after an encrypted copy is created, along with resizing the original file to zero and changing time property metadata before finally deleting the original file.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1486", "comment": "[Apostle](https://attack.mitre.org/software/S1133) creates new, encrypted versions of files then deletes the originals, with the new filenames consisting of a random GUID and \".lock\" for an extension.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Apostle](https://attack.mitre.org/software/S1133) compiled code is obfuscated in an unspecified fashion prior to delivery to victims.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[Apostle](https://attack.mitre.org/software/S1133) searches for files on available drives based on a list of extensions hard-coded into the sample for follow-on wipe activity.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Apostle](https://attack.mitre.org/software/S1133)'s ransomware variant requires that a base64-encoded argument is passed when executed, that is used as the Public Key for subsequent encryption operations. If [Apostle](https://attack.mitre.org/software/S1133) is executed without this argument, it automatically runs a self-delete function.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Apostle](https://attack.mitre.org/software/S1133) will attempt to delete all event logs on a victim machine following file wipe activity.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Apostle](https://attack.mitre.org/software/S1133) writes batch scripts to disk, such as system.bat and remover.bat, that perform various anti-analysis and anti-forensic tasks, before finally deleting themselves at the end of execution. [Apostle](https://attack.mitre.org/software/S1133) attempts to delete itself after encryption or wiping operations are complete and before shutting down the victim machine.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Apostle](https://attack.mitre.org/software/S1133) retrieves a list of all running processes on a victim host, and stops all services containing the string \"sql,\" likely to propagate ransomware activity to database files.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Apostle](https://attack.mitre.org/software/S1133) achieves persistence by creating a scheduled task, such as MicrosoftCrashHandlerUAC.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1529", "comment": "[Apostle](https://attack.mitre.org/software/S1133) reboots the victim machine following wiping and related activity.(Citation: SentinelOne Agrius 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Apostle", "color": "#66b1ff"}]}